What is the GDPR?
In April 2016, the European Parliament adopted new legislation which regulates, in a broader and more comprehensive way that encompasses all the countries in the European Union, how the personal data of European citizens can be collected, stored, transferred and protected. This regulation (GDPR – Global Data Protection Regulation) aims to give citizens more control over how their personal information is used.
What is personal data?
“PII – Personally Identifiable Information – Any information relating to an identified or identifiable natural person”
“Identifiable” means a natural person who can be identified, directly or indirectly, by reference to an identifier, such as a name, an identification number, location data, identifiers by electronic means, or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity.
The data can be in any support, be it physical, virtual, graphic, technological or sonorous. This includes labels, files, RFID chips/cards, printed/written material, etc.
Treatment of personal data
The processing of personal data includes any action on them and can only be done when consent is given. Consent must be:
- “Free” – based on a proactive action by the user, without limiting their access to services and with the possibility of being withdrawn with the same ease as it was given;
- “Informed” – in simple and direct language;
- “Specific” – Consent must be given for each treatment purpose (for example: registering to enter an event is different from registering to receive Marketing information);
- “Expressed” – Pre-validated options are not allowed and omission can not serve as “consent”;
- “Demonstrable” – The data processor must be able to demonstrate that consent has been given or withdrawn;
The processing of data is also permissible whenever there is a legitimate interest (eg collection of services), by legal obligation or in the course of contracting services (payment of salaries, complaint verification, etc.).
Data processing vs. Data control
It is critical that organizations involved in processing personal data understand their role and determine whether they are acting as a data processor or data controller. This information is relevant in the clearance of responsibilities.
The data controller determines the purpose for which the data is to be used and how the data will be processed.
The regulation follows citizens and protects them anywhere in the world. This means that it applies to any organization or event that collects or processes personal information of European citizens regardless of the location of the event, whether in the European Union or elsewhere.
Return to our GDPR index: Are your events ready for the GDPR?
Still have questions about this? Talk to us!